In a new campaign targeting financial institutions throughout the globe, the Russia-linked threat actor TA505 has been seen employing a lightweight Office file to distribute malware.
The attacks have low detection rates in Google’s VirusTotal scanning engine, and they target firms in Canada, the United States, Hong Kong, Europe, and beyond.
The effort, dubbed MirrorBlast, began in early September, following similar activity in April 2021, according to Morphisec’s security researchers.
The infection chain begins with phishing emails that transmit a malicious document, then progresses to the Google feedproxy URL, which uses SharePoint and OneDrive lures disguised as file share requests.
The URLs direct the victim to a hacked SharePoint or a phoney OneDrive site, allowing the attackers to remain undetected. Additionally, a SharePoint sign-in requirement ensures that sandboxes are avoided.
Because of ActiveX compatibility difficulties, the macro code utilised in these assaults can only be run on 32-bit versions of Office. If the computer name matches the user domain and the username is admin or administrator, the code is responsible for anti-sandboxing.
Morphisec thinks the attacks are being carried out by the famed Russia-linked threat actor TA505, commonly known as Evil Corp, based on the detected TTPs connected with the MirrorBlast campaign.
Excel documents go to the Rebol/KiXtart loader, SharePoint/OneDrive lure themes are used, and specific domain names are used in the infection chain. Furthermore, TA505 has already been linked to a website that one SharePoint lure links to, as well as other artefacts.
TA505, a financially motivated adversary active since at least 2014, is most known for using the Dridex Trojan and the Locky ransomware. However, over the last few years, the gang has shifted to using a variety of malware families, including off-the-shelf malware as well as genuine tools.
“TA505 is one of numerous commercially oriented threat organisations operating in the market today. They’re also one of the most inventive, as they have a proclivity for shifting the attacks they use to attain their objectives. “For TA505 or other innovative threat organisations, this new attack chain for MirrorBlast is no exception,” Morphisec said.